All the Perl that's Practical to Extract and Report

Navigation

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Without JavaScript enabled, you might want to
use the classic discussion system instead. If you login, you can remember this preference.

Please Log In to Continue

Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and;'s and

where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [wikipedia.org] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

Well, let's say it's both. Perl could have been more paranoid, C lib could be more paranoid, Perl script authors should be more paranoid. Unclear but I suspect this bug is only usable when Taint mode should have been wasn't?
MaintPerl already has patch 26420 http://www.nntp.perl.org/group/perl.perl5.changes/14020 [perl.org] , so Perl is now a bit more paranoid.
The Ubuntu security team reports the problem as follows. Also patched in FC4 security updates
and FC3 backport. Somewhere along the line the CVE# got typo

Huh? Should I also report the fact that open FH, $foo can be used for mischief if $foo derives from user input?

And this isn’t even as openly dangerous.

Cursory experimentation and a superficial browsing of the source suggests it’s not possible to corrupt perl’s stack using printf [perl.org], so this isn’t a vulnerability in perl. It is very well possible to inject unexpected %ns into the format string to make an application fall over, though, so it definitely constitutes a vulnerability in P

I can see where prepping the stack for a varargs hack could be hard but not impossible with only a web client to work with.

Escaping or removing all relevant magic characters e.g., % is only one of the things one must do with user input before using it. Verifying syntax is as expected and size isn't absurd is also required for safety. (Some semantic checks may even be required to protect the backend from GIGO attacks, b

Somehow, strangely, this was already fixed...maybe I did it
subconsciously, maybe there are helpful little gnomes running around
in the repository and fixing bugs while we sleep, I don't know..
-- Jarkko Hietaniemi

Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.